I was reading a thread (http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,925.msg2815/) on this site asking about the best anti-virus, anti-spam, anti-spyware (anti-x) software to use for learning the fundamentals of these programs. Someone in the post made the comment that signature based anti-virus was easily defeated and that security experts should turn to behavior or heuristic based anti-virus where appropriate. That inspired me to try and find out if I could defeat some signature based anti-virus software.

Here is the setup. I'm using a laptop computer running Ubuntu 6.10 fully patched and with a lot of additional software. For this example, the only software that I'll be using that isn't "out of the box" is called hexedit. If you're using ubuntu you can update /etc/apt/sources.list to include universe repositories and execute sudo apt-get hexedit if you don't have this already installed. I'll also be using a fully patched Windows XP desktop running Symantec Anti-virus version 10.1.0.396 using virus definitions from 12/22/2006 (revision 9). Since I don't want to play around with actual virus files, I've decided that I'm going to use the Windows version of Netcat, which Symantec labels as a hack tool and will not allow on your filesystem. Netcat for windows is available here: http://www.vulnwatch.org/netcat/

I started this experiment by downloading the Windows version of Netcat, and extracting nc.exe into a folder on the linux laptop. I then ran md5sum against the file to get a hash value of the file. Here is the output of that command.

We need to create two folders, one of the original file and one of the file that we will modify. Put a copy of nc.exe in each folder. Now I'm going to open the file to be modified using my hex editor. The command is very simple, hexedit nc.exe. The command will bring up the file in hexadecimal mode. Off to the right side you'll see any strings that are in the executable. The following link is a screenshot of the file on my laptop. http://mavdisk.mnsu.edu/kevin/antiv/nc-before.jpg

You'll notice on the third line in the ascii column that there is a line of text, "am cannot be run in DOS mode". I'm going to try changing that to something else. The rationale being that by changing this line of text I will change the hash of the file without possibly destroying some function within the program. Scroll down to line three and type new hex characters over the old ones. In this case I incremented each hex character by one. Thus I have changed the third line to read

As you can see the hash value of the file is now radically different. I'm also going to change the name of the file just in case that is one of the measures that is used to identify this "hack" tool. OK, first the control test. I'm going to attempt to copy the original unedited nc.exe to my Windows machine. As expected Symantec has blocked the file. A screenshot of the error is available here. http://mavdisk.mnsu.edu/kevin/antiv/nc-reject.jpg

Now I'll move the modified and renamed version of the file over to my machine. The renamed version is kevin.exe. Argh, the bitter taste of failure! Here is a screenshot to prove that my experiment has not worked. http://mavdisk.mnsu.edu/kevin/antiv/kevin-reject.jpg

So what was the point of all of this? Well for starters, I wanted to learn how to do this, and hopefully someone here has an answer for me. Second, if someone else wants to know how to modify a file to get around the anti-virus signatures they can read this and know that they have to find another way. This gives other people the ability to follow my work. Finally, it's important for everyone to know that failure is a part of learning...don't let it get you down.

For me, changing hex values is not nearly as fruitful as using packer / crypter. If it’s a crypter you have written yourself, or pay someone to, you will defeat virtually every anti-virus out there. Unfortunately, "heuristic" scanning is just the Anti-virus making alerts on what it sees as a near or possible match to the signature. This really is not much better and can be a pain when it gives false positives. The best method would be to run a real memory scan and determine what a particular executable's behavior is. No major anti-virus vendor does that at this point in time.

Recently I noticed an entry by Kevin Thompson (mn_kthompson) on the Ethical Hacker Network (EHN). The author talked about Bypassing Signature based anti-virus software (http://www.ethicalhacker.net/component/ ... g2845/#new). Although Kevin is not a malware analysis expert he outlines a few initial steps that somebody might take to accomplish anti-virus evasion. The EHN user Kev responded (http://www.ethicalhacker.net/component/ ... 45#msg2845) that another method to avoid detection is to use a program Packer or Crypter to modify the program.

To get started I modified the nc.exe program by using the hexeditor to change the word "program" to "PROGRAM". I saved this file as nc_PROGRAM.exe. Next I used the UPX packer to pack the nc.exe program and the nc_PROGRAM.exe. I used the following commands to convert these files. - upx.exe --brute -o nc_orig_upx.exe nc.exe - upx.exe --brute -o nc_PROGRAM_upx.exe nc_PROGRAM.exe

Once the programs were packed I got the MD5 hash for each. Here are the results:

Of course, how could I be sure that all of these programs would still work properly? I figured that as all of these programs are executables if one thing does not work then the whole thing will not work. So, to check functionality I decided to simply ask for the help output. I ran each program with the help (-h) options. Each one gave me the same output so I am going to assume that each one is as functional as the other.

As I am running AVG Free on my system I do not have a good way to determine whether I would get the same results as Kevin did with Symantec's Norton Antivirus. What I have found in my readings of forums and other documentation is the existence of a website that will analyze an uploaded file using a plethora of antivirus software. Although I think that they included Symantec's product at one point it currently does not seem to provide this vendor. The service I am talking about is provided by VirusTotal (http://www.virustotal.com). The list of antivirus programs they use can be found through their "VirusTotal" (http://www.virustotal.com/en/virustotalx.html) link but this list is outdated and should not be used for reference. One thing I should definately point out here is the fact that even by using this service to analyze a file you should be wary of the results. VirusTotal puts it best by stating:

"VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware."

So, what are the real differences here? Not much really. The majority of the antivirus vendors do not consider nc.exe as a malicious program. Of the vendors that do only “eSafe” and “Fortinet” were fooled by simply modifying a few bits in the executable. This probably means that these vendors are identifying the program by its hash signature. Packing the original program did apparently bypass checks by “TheHacker” although it did cause “eSafe” to reclassify the program from “Win32.HackTool” to “suspicious Trojan/Worm.” I am not sure what this actually means other than “eSafe” is identifying the fact that the program is packed and therefore labeling it as malicious. Finally, the packet version of the modified Netcat file only changes the response of the vendor “Fortinet” which now labels the program as “suspicious.”

So, what are my conclusions from all of this? Well, first, simple modification and packing does not seem to affect the conclusions made by the majority of antivirus vendors. Second, it seems that the vendors “eSafe,” “Fortinet,” and “TheHacker” are not very consistent with their analysis of programs and therefore their results should be questioned or at least confirmed. Third, the next step is to do this with a virus in a controlled environment (which I do not have so I will not be pursuing this step) to test the conclusion of the other vendors under similar circumstances. Lastly, Kevin and Kev’s steps for initially delving into the malware field are interesting and worth recreating. Keep up the good work. Y’all might not have found a way to slip flagged programs by antivirus systems yet, but y’all are definitely on the right track.

Excellent post and well presented research, Cutaway. Remember that the key to using a crypter is that it has to be a private one. If it’s a packer or crypter that the AV vender is aware of it will not defeat it. Although I was surprised that I was able to pass a Trojan through Norton’s with a crypter that is readily available on the net. Makes me wonder what they charge all the money for? AVG free caught it , lol! Of course you could just write a new virus that has its own unique signature that doesn’t come close to matching any known virus. That would be the ultimate way to pass through most anti-virus programs. But its much easier to write a unique crypter. You don’t need a lot of programming skill to do that and that’s why its attractive to underground groups.

As a side note, anybody familiar with McAfee's EPO? Well with that, it essentially creates a nice low tech way to bypass McAfee's AV. I ran into this feature when I loaded the corporate version of the software and it went ahead and deleted and/or quarantined a bunch of "security" tools that I use like Cain and LC. I noticed that even if I created a folder and told McAfee not to scan it, the EPO over wrote it. Well when browsing I found the Service folder that keeps sanctioned corporate tools like pskill that would normally be removed by McAfee. So I loaded a bunch of tools into the directory and voila they weren't removed by full scans or the on demand scanner. Whats even more interesting is that even malware that I've copied over from other machines seems to make it through the scans. I think this same method probably would work with all the top AV vendors in a corporate environment. Assuming the machine was already compromised, an attacker could pull info out the registry automatically and tell them where the AV was instructed not to scan. It would require a little more coding effort to find out where all this info is stored for the most popular AV products, but how difficult would it be to handle something like this. If the EPO admin, wanted to clean the malware from the directory, they would risk removing all the legitimate tools stored there as well.

You know what would be awesome? It would be awesome if this were easier to do. I mean, awesome from the perspective of the person trying to slip malware under the anti-virus software's radar. From the perspective of being the security guy for a University, it would be un-awesome.

Anyway, I have had moderate success sneaking netcat past my Symantec Anti-virus by using brute force packing and encrypting. By Brute Force, I mean running the executable through multiple packers/encrypters, and by moderate success I mean that it worked one time, and I wasn't able to duplicate the results. Here is how I got the moderate success: I edited the hex like I described above, and then I packed it with upx the way cutaway described. Then I used morphine v2.7 to crypt the file that was packed with upx. One time I was able to copy the resulting file to my PC and run it. Strangely, though, even though the file ran properly, when I exited netcat and tried to delete the crypted file, THEN Symantec came up and detected it as being bad. From that point on, the same technique hasn't worked on my machine.

Anyway, as Kev was saying, using any of the commonly available packers/crypters will probably not sneak something past the AV software because the AV software looks for those packers. You'll probably have to write your own stuff. However, for those of you that are noobish like me and aren't very experienced programmers, you'll find that the source code that is available can be tough to follow, and so we run into that wall the separates the people who are 1337 from the noobz. I'll keep researching ways to slip past the AV, but I'm not very confident in what I'm going to find.

I haven't stopped working on this yet. I've tried a few more tricks and I've been surprised at what has worked and what hasn't. I'd like to pass on my findings in case anyone is curious.

Today I've been messing around with appending random garbage onto netcat for windows to see if I could slip that past my antivirus software. First, I copied nc.exe over to my linux machine, and I created a garbage file:

Code:

dd if=/dev/urandom of=garbage bs=1 count=512

Then I appended the garbage file to the end of nc.exe

Code:

cat nc.exe garbage > nc2.exe

The resulting file, nc2.exe, runs just fine on a Windows XP machine that is not running anti-virus. Then I copied it to my machine that is running Symantec antivirus, and surprisingly it worked! However, just like my experiments from yesterday it only worked one time. Soon after the program ran Symantec identified it as netcat and quarantined it. From that point on I couldn't duplicate my results, even using new or larger garbage files. Incidently, this trick of appending garbage to the end of the file did fool two of the programs on virustotal.com, namely esafe and fortinet. I also tried taking my modified nc.exe and packing it with upx, but that didn't fool Symantec on my machine. Packing the executable with garbage on the end actually made the file more recognizable by virustotal. Every program that cutaway listed as catching his packed netcat also caught the packed netcat with garbage appended.

From a file copy perspective, one thing that has worked consistently is to append the garbage to the front of the executable rather than the back. Symantec has let me copy the resulting file to my machine every time. The problem is, of course, that the executable wont run because there is nothing but gibberish for the first 512 bytes. This is another place where a stub would be handy. I'd like to see something that results in a valid PE (portable executable) header that instructs the operating system to skip the next 512 bytes and pick up from there. Then I could append the garbage to the end of that and nc.exe to the end of that. I'm not a great programmer though, and I haven't been able to find much on the web to point me in the right direction.

I noticed you used the crypter morphine. Fortunately or unfortunately, depending on your point of view, is now picked up by most anti-virus venders. The interesting thing about it was how it beat most anti-virus software for many months before venders decided to include it in their detection. What’s really amazing is, if I remember correctly, that it was publicly available on the net for most of that time!

I responded to a comment posted to my blog. Here is the comment and my response.

kurt wismerComment @ 01/07/07 at 7:19 am

instead of using a virus (which you do not have) to continue experimenting with, why not use the eicar standard anti-virus test file? after all, if you’re just testing how well you can hide an arbitrary program from an anti-virus scanner all that should really matter is that you use something the scanner would normally detect - and just about everything detects the eicar standard anti-virus test file…

I thought about using Eicar but I decided against it. As I am not a malware expert, and want to focus on other things, there is really no point in moving forward with this test as I have accomplished my goal and I think I will gain more from reading the results of other more experienced malware experts (at least at this point). Kev from Ethical Hacker has actually already done this anyway (http://www.ethicalhacker.net/component/ ... pic,821.0/) I just didn't see it until after my post. It is obvious that most antivirus vendors use more information for their signatures than simple hashes and that the most common packerts/crypters will be included in their efforts.

I think the primary goal of this experiment (at least for me) was start thinking about ways to hide programs that might be uploaded for penetration testing. What I get out of this is that simple modification is not enough. I will either need to write my own programs to function in the same manner as tools like Netcat, or I will have to find an exploit (remote or local) that I can then use to have Metasploit or Core Impact subvert a process for me. I like this better because uploads and new processes will probably be logged and then there is more work to hide it all. If I cannot get a subverted process then I will try and use as many local programs as possible before uploading any program that I know is detected by antivirus software. I will then also probably considers some of the other aspect of anti-virus evasion methods as described in the Ethical Hacker discussion (http://www.ethicalhacker.net/component/ ... pic,940.0/) before doing such uploads.